Chapter 5. User Education

Security awareness is lacking in most organizations. The best approach to educate users about security is to find a way to demonstrate, with appropriate metrics, that you are successfully implementing change and producing a more secure line of defense. A large portion of the information security industry is focused on perimeter security, virtual private networks (VPNs), web application firewalls (WAFs), email filtering, etc. However, we are beginning to see a shift from strictly data-level protection to an increased focus on user-level security and reporting. The defense-in-depth mentality and view of security as a process must be filtered down and incorporated into user training.

Before you spend money on threat intel that may tell you how better to defend your specific sector, it’s a good idea to start where everyone is being attacked. One of the largest threats today remains the targeting of our weakest link: people. According to the 2023 Verizon Data Breach Investigations Report (DBIR), “74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering. … The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities.” (Verizon updated its metrics in 2024 to show that only 68% of breaches involved users, to separate out the difference in human error and human-targeted attacks.)

In this chapter ...